Dan says he's using the default settings for clear-on-quit, and it includes clearing out saved passwords. So because Weave stores its passwords in the password manager, they get cleared out and Weave no longer can log in.

It's not the default, FWIW. http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#410 http://mxr.mozilla.org/mozilla1.9.1/source/browser/app/profile/firefox.js#397 pref("privacy.clearOnShutdown.passwords", false); Not sure what the right approach is here offhand.

The only true way to fix this would be to store passwords in some other format. I don't know if that's right/useful, but it's not a priority, so Future.

There is a kind of work-around: - clear all of your passwords using "Tools | Clear Recent History" - uncheck the option that deletes saved passwords on exit (Preferences | Privacy | History) - uncheck "Remember passwords on sites" (Preferences | Security | Passwords) - enter your sync password That way, the Sync password is the only thing that's in the password store and it stays there.

I'd like to see security's perspective on this.

I am unsure of what the particular use case for sync + clear-on-quit is. This appears to be a temporary sync of sorts, but then I don't know why you would want your sync credentials on the machine at all. The best use case I can think of is if you have explicitly set clear-on-quit to clear passwords only for privacy reasons. However, I still don't think you would want your sync credentials to persist on the machine since an attacker with those credentials can pull down your other passwords. I don't think storing the credentials in any of the normal Firefox locations works because the user won't normally know that the credentials are stored in passwords / local storage / site preferences. Assuming that the use-case is for a temporary sync, could we add a feature to sync to only persist the credentials in memory? Quitting Firefox would require the user to redo JPAKE or BID login (once implemented).

(In reply to David Chan [:dchan] from comment #11) > Assuming that the use-case is for a temporary sync, could we add a feature > to sync to only persist the credentials in memory? Quitting Firefox would > require the user to redo JPAKE or BID login (once implemented). I /think/ this would be a feature of "login to the browser."

I personally use Sync to store bookmarks but not passwords. So I do want Sync to save its credentials, but I don't want anything else stored in the password store. Therefore, the work-around I described in comment 9 works very well for me. The only thing that is a bit of a usability problem IMHO is that there should be some kind of warning when you enable Sync and have "clear passwords on quit" turned on. I got confused when I first enabled Sync and had to reenter the Sync password at every login.

(In reply to Francois Marier from comment #13) > I personally use Sync to store bookmarks but not passwords. So I do want > Sync to save its credentials, but I don't want anything else stored in the > password store. Therefore, the work-around I described in comment 9 works > very well for me. > > The only thing that is a bit of a usability problem IMHO is that there > should be some kind of warning when you enable Sync and have "clear > passwords on quit" turned on. I got confused when I first enabled Sync and > had to reenter the Sync password at every login. Thanks for clarifying your use case. I agree that the UX is confusing. Maybe we could store the credentials under Site preferences or offline storage?

Are site preferences or offline storage protected by the master password? If not, those options would be a non-starter, I think.

(In reply to Gregory Szorc [:gps] from comment #15) > Are site preferences or offline storage protected by the master password? If > not, those options would be a non-starter, I think. They aren't as far as I know. The credentials would have to be encrypted before hand. I wonder if it possible to retrieve the ciphertext for master password protected credentials. Those could then be persisted in another data store and "synced" back to the password storage.

The same is happening, if inside the password manager you remove all passwords. (see bug 88175). A solution would be, if that would only clear all passwords *except* the sync-password.

typo in last comment 20: I meant bug 881175

I'm hopeful that these issues will be addressed by PICL.